[Bro] Finer detail on mime types

Seth Hall seth at corelight.com
Mon Jul 10 13:09:07 PDT 2017

That is a bit of an overloaded mime-type I'm afraid.  We did build the
files framework in Bro so that it could be extended to provide quite a
bit of extra information when the file is "sniffed".  The primary
problem that we'd have with providing that information at the moment
is lack of a way to analyze excel files.


On Fri, Jul 7, 2017 at 4:11 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> So in looking at xlsm/docm files I noticed this...where bro says:
> application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
> but the pcap says:
> application/vnd.ms-excel.sheet.macroenabled.12
> Is there a way to fine tune this in bro?  Identifying files flying
> around with macros would be wonderful...thank you.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com

More information about the Bro mailing list